Data Classification

Important

This feature is in Public Preview.

This page describes how to use Databricks Data Classification in Unity Catalog to automatically classify and tag sensitive data in your catalog.

Data catalogs can have a vast amount of data, often containing known and unknown sensitive data. It is critical for data teams to understand what kind of sensitive data exists in each table so that they can both govern and democratize access to this data.

To address this problem, Databricks Data Classification uses an AI agent to automatically classify and tag tables in your catalog. This allows you to discover sensitive data and to apply governance controls over the results, using tools such as Unity Catalog attribute-based access control (ABAC).

Using this feature, you can:

  • Classify data: The engine uses an agentic AI system to automatically classify and tag any tables in Unity Catalog.
  • Optimize cost through intelligent scanning: The system intelligently determines when to scan your data by leveraging Unity Catalog and the Data Intelligence Engine. This means that scanning is incremental and optimized to ensure all new data is classified without manual configuration.
  • Review and protect sensitive data: The results display assists you in viewing classification results and protecting sensitive data by tagging and creating access control policies for each class.

Important

Databricks Data Classification uses default storage to store classification results. You are not billed for the storage.

Databricks Data Classification uses a large language model (LLM) to assist with classification.

Requirements

Note

Data classification is a workspace-level preview feature, and it can only be managed by a workspace or account admin. For instructions, see Manage Azure Databricks previews.

  • Your workspace must have serverless compute available (enabled by default in workspaces with Unity Catalog).
  • To enable data classification, you must own the catalog or have USE CATALOG and MANAGE privileges on it.
  • To enable automatic tagging for a catalog, you must have USE CATALOG on the catalog, APPLY TAG on the catalog, and ASSIGN on the tag being applied.
  • To view classification results in the UI, you must have USE CATALOG and either MANAGE or (SELECT + USE SCHEMA) on the catalog. To see sample values associated with detections, you must have SELECT on the The results system table.

Note

By default, only account admins have MANAGE and ASSIGN permissions on data classification system governed tags. Account admins can grant MANAGE and ASSIGN for individual governed tags to other users, service principals, or groups. See Manage permissions on governed tags.

Use data classification

You can enable data classification for multiple catalogs at once from the results page, or configure individual catalogs with more granular schema-level control.

Enable multiple catalogs

  1. On the Data Classification results page, click Configure.
  2. Select the catalogs you want to enable, or select all available catalogs in the workspace.
  3. Click Enable.

Enabling all available catalogs does not automatically enable future catalogs. To classify a new catalog, return to the Configure dialog and enable it.

Enable a single catalog with schema selection

To choose specific schemas within a catalog:

  1. Navigate to the catalog and click the Details tab.

    Details tab for the catalog page in Catalog Explorer.

  2. Next to Data Classification, click the Enable button.

  3. The Data Classification dialog appears. By default, all schemas are included. To include only some schemas, select them in the Schemas to include dropdown menu. You can also select a Usage policy

    Settings modal for Data Classification.

  4. Click Save.

This creates a background job that incrementally scans all tables in the catalog or selected schemas.

The classification engine relies on intelligent scanning to determine when to scan a table. New tables and columns in a catalog are typically scanned within 24 hours of being created.

View classification results

To view classification results, click View results next to the Data Classification setting.

View results button for Data Classification.

This opens the Data Classification UI for the catalog. To view classification results, a serverless SQL warehouse is required.

You can also view aggregated results across all classified catalogs in the metastore by using the catalog selector at the upper left. Choose All catalogs from the drop-down menu.

For each classification type, the table shows:

  • Detected columns: The number of columns where the classification was detected.
  • Auto-tagging: The tagging status for that classification — Active or Inactive. In the metastore view, a status of Partially Active indicates that tagging is enabled in some but not all catalogs.
  • User Access (last 7d): The number of distinct users who accessed unmasked vs. masked data of that classification over the last 7 days. Use this to assess the exposure of sensitive data across your organization.

Results page showing table of detected classes.

Review detections

To review the results for a specific classification type, click Review in the rightmost column. A panel appears with two tabs:

  • Detected Columns: Displays the columns where the classification tag was detected with high confidence, ordered by most recent detection first. Also includes a Detections over time chart and a list of detected columns with sample values. Click any bar in the chart to see the specific detections for that date. Sample values appear only if you have the required permissions to view classification results.
  • User Access: Lists all users who accessed columns with this classification tag, showing their email and username along with whether they have masked or unmasked access.

Results showing columns with detected classifications.

If any detected columns are incorrect, you can click the Exclude icon to the right of the entry. See Exclude detections.

Enable automatic tagging

If the identified columns match your expectations, you can enable automatic tagging for the classification tag. When automatic tagging is enabled, all existing and future detections of this classification are tagged.

You can configure automatic tagging at two levels:

  • Metastore level: Enable or disable across all catalogs at once. You must be a metastore admin and have ASSIGN on the tag being applied.
  • Catalog level: Enable or disable for the current catalog only. Catalog-level settings take precedence over the metastore-level setting. You must have USE CATALOG and APPLY TAG on the catalog, and ASSIGN on the tag being applied.

At the catalog level, automatic tagging has three states:

  • Default (inherited): The catalog inherits the tagging setting from the metastore level.
  • Active: Tagging is explicitly enabled for this catalog, regardless of the metastore-level setting.
  • Inactive: Tagging is explicitly disabled for this catalog, regardless of the metastore-level setting.

When you disable tagging, no future tags are applied, but existing tags are not removed.

Note

When you enable automatic tagging, tags are not backfilled immediately. They will be populated in the next scan, which should take effect within 24 hours. Subsequent classifications will be tagged immediately.

Exclude detections

Important

Detection exclusions and their use to improve future classification accuracy are in Beta.

In the review panel, you can exclude individual column detections. Excluding a detection:

  • Removes any existing classification tag from that column.
  • Prevents future scans from reapplying the tag to that column.
  • Provides feedback that improves the accuracy of future classification results.

To exclude a detection, click the Exclude icon for the corresponding column in the review panel. To re-include the detection, click the icon again.

Excluding an individual column from detection.

How to handle incorrect tags

If a classification is incorrect, exclude the detection from the review panel. Excluding a detection removes the tag, prevents it from being reapplied, and improves the accuracy of future scans. See Exclude detections.

Scan errors

If any errors occur during the scan, an Errors button appears at the upper right of the results table.

Results page with Errors button at the upper right of the table.

Click the button to display the tables that failed the scan and associated error messages.

Data classification table scan errors.

By default, failures that occurred for individual tables are skipped and retried the following day.

Limitations

  • Views and metric views are not supported. If the view is based on existing tables, Databricks recommends classifying the underlying tables to see if they contain sensitive data.
  • Last updated on